Mango Markets Set to Pay $47M Bug Bounty to Hacker96% of Voting Tokens Favor Deal; Mango Markets Will Not Pursue Criminal Charges
Decentralized finance exchange Mango Markets is set to pay $47 million as a bug bounty to the hacker who stole $117 million in digital assets on Wednesday.
Mango Markets is a trading platform riding on the Solana blockchain. The platform halted operations to cease all deposits and withdrawals to limit the impact of the attack.
Under a new deal between the hacker and the decentralized finance exchange, the hacker will keep $47 million as a bug bounty and will return the remaining $67 million stolen via the protocol.
The hacker initially put forth their proposal on the decentralized autonomous organization governing Mango Markets that would give the attacker a $70 million bounty.
The Mango DAO governs Mango Markets and gives MNGO token holders the power to make decisions about the platform's functions.
The attacker also demanded that the decentralized finance company not initiate a criminal investigation or freeze the hacker's funds if the proposal passes.
The deadline for the voting ended on Saturday at 1:12 a.m. UTC, and 96% of the governance, which stands for around 473 million tokens, voted in favor of the deal. Only 3.4% were against the deal.
The hackers also allegedly voted for this proposal using millions of tokens stolen from the exploit.
"The funds sent by you and the mango DAO treasury will be used to cover any remaining bad debt in the protocol. All mango depositors will be made whole," the governance vote says.
The deal also requires hackers to send back some of the tokens within 12 hours of the proposal opening "as a show of good faith" and to return the remaining assets within 12 hours once the vote is complete and the deal is passed.
Reacting to the update, the chief executive of cryptocurrency trading firm Wintermute said on Twitter, "I understand Mango community and why the protocol wants to move on and close that page, but this outcome feels so wrong. Like really, can we fund a DAO to take that guy down (in legal way) independently?"
According to a voter in the forum, the deal is "an absurdly high bounty for such a low-tier attack." Another voter said, "We should give him less of a bounty because he is a criminal in no position to negotiate anymore. He's dox'd and will be arrested - don't give him ± $50M! 25M total is more than enough. Cut it by 50%."
The attacker manipulated the price oracle data of the MNGO token to take out "massive" under-collateralized crypto loans from the Mango treasury, according to blockchain security firm OtterSec, which identified the attack.
An oracle is a tool that feeds relevant off-chain data to the blockchain for smart contracts to use. A price oracle shows the price information for a digital asset. "Neither oracle providers have any fault here. The oracle price reporting worked as it should have," the company said.
The vulnerability stemmed from the thin liquidity on the exchange market between MNGO and the USDC stablecoin, which was used as the price reference for a MNGO perpetual swap.